Feeds

Hang in there, Internet Explorer peeps: Gaping zero-day fix coming Tues

What a way to celebrate a DECADE of Patch Tuesday rollouts

Boost IT visibility and business value

Microsoft is preparing to close a wide-open security hole in Internet Explorer - a vulnerability state-backed spies are exploiting to mine organisations across Asia.

A update to fix the flaw is among four critical patches Redmond has lined up for the October edition of Patch Tuesday, due next week. Versions 6 through to 11 of the web browser are known to be vulnerable.

The use-after-free bug in Internet Explorer [CVE-2013-3893] allows attackers to execute arbitrary code on a victim's computer; a mark simply has to surf to a web page booby-trapped with JavaScript that triggers the flaw.

In fact, the bug itself is quite an interesting case study: modern Windows kernels attempt to randomise the layout of software in memory and mark the areas containing just data as non-executable, which in theory is supposed to make life extremely difficult for hackers.

But the web page, in this case, can coax IE into loading a Microsoft Office library that snubs address space layout randomisation (ASLR). This sits in a known region of memory, allowing the attack code to initially hop around the library and use instructions within it to grant itself permission to execute its payload of code.

The attack code is packed into JavaScript strings, which sit in memory that Internet Explorer's MSHTML component accidentally uses when it really shouldn't: it tries to call a function pointer, but by that fatal moment, this pointer instead refers to an attacker-controlled part of memory rather than the expected friendly function.

Exploited since August

The vulnerability first came to public attention late last month when targets in Japan were attacked by miscreants exploiting this programming gaffe. Security biz FireEye published an alert about the infiltration attempts on 23 September, and claimed that assaults using the same bug in Microsoft's browser software started around 23 August.

Redmond had realised there was a problem, though not its seriousness, days before FireEye sounded the alarm. Microsoft published technical details and workarounds to defend against the flaw on 17 September.

Security researchers have since linked the same CVE-2013-3893 bug to multiple attacks by various state-sponsored hacking crews against targets in Taiwan and elsewhere in the Far East. In this context the patch for Internet Explorer versions 6 to 11, due to arrive next Tuesday, can't come a day too soon.

October 2013 marks the tenth anniversary of Microsoft’s regular security patch rollouts, Patch Tuesday. Alongside the critical IE update, the world'll get three similarly critical security fixes for Windows that affect the vast majority of deployed platforms except Windows Server 2012 R2 and Windows RT 8.1. Everything from Windows XP up to and including Windows 8 and Windows RT will need patching.

Redmond's security gnomes are also fuelling up four lower severity security bulletins, all rated as "important". Microsoft Office, Microsoft Silverlight 5 and Redmond's Sharepoint portal server software will all need patching as a result of security fixes due to arrive on 8 October.

More details will be released once the updates are deployed next week. In the meantime, Microsoft's pre-release notice provides more details of the affected software packages.

Wolfgang Kandek, CTO of Qualys, commented: "The recent [Internet Explorer] 0-day ... is certainly the top-priority patch for next week and it affects all versions of Internet Explorer from 6 to 11. Fortunately, attack volume using this vulnerability has continued to be low and this has given Microsoft the opportunity to do a full test cycle on all possible combinations of operating systems and target sites."

Adobe - fresh from warning about a compromise on its website that might have exposed the IDs, password hashes, and encrypted credit card information of nearly three million customers - separately announced plans to deliver a solitary patch for Acrobat 11.0.4 and PDF Reader 11.0.4 on Windows. More details can be found in Adobe's advisory here. ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?